Security in web application should be of high importance and adressed at the earliest as there is potential risk for third party hackers to gain access to the data shared by site's users. The data in web application generally goes through various components called application layer and web server and database layer. Security has to be covered in all the components.Generally vulnerability occurs in web applications like webmail, online shopping where the user is allowed to give input to the site in various forms like in hotmail where user gives user id/ pwd enters the mail box and in other case like online shopping, e-ticket where user gives sensitive input like credit card #, these sites are very vulnerable for hackers.
Hackers perform this security vulnerability by various methods and out of them the most common method is:
1. Cross Side Scripting (XSS):
XSS allows the attacker to inject HTML or JS code into the victim's website source code. When the victim navigates through the website, the injected code by the hacker is displayed in the browser and the input given by the victim is hacked by the attacker in the backend. This is one of the most common application layer web attacks which exploits the trust user has for a particular website.
How to prevent: Though there are tools available to fix XSS, features like very clear source code in various templates instead of using escape function of JS in source code. Also, familiarize your application with other security features of your template system. Good testing practices with respect to XSS is advisable.
2. Cross Site Request Forgery (CSRF)
When an web application requests the web server, a valid session identifier is created by the web server. When those session ids are authorized by the browser, a cookie is created. The cookie has the details about the application the cookie is active till the session expires. This process is utilized from the victim's browser by the hacker to gather information from the user like click button, send email etc. Hence CSRF is about exploiting the trust between the website has in its browser.
3. Denial of Service(DoS)
It is a form of attack where the web server or gateway is flooded with high volume of request so that the server cannot handle the requests or the server is shut down. The DoS is generally targeted at high volume consumer data like banks where the DB is constantly being used and the shutdown or sudden slowdown has major impact and the hacker can utilize the resources.
Preventing against DoS , these are the best approaches suggested by MSDN http://technet.microsoft.com/en-us/library/cc750213.aspx
